Home | History | Annotate | Download | only in onc 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
      6 #define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
      7 
      8 #include <map>
      9 #include <string>
     10 #include <vector>
     11 
     12 #include "base/basictypes.h"
     13 #include "base/memory/ref_counted.h"
     14 #include "base/memory/scoped_ptr.h"
     15 #include "base/memory/weak_ptr.h"
     16 #include "chromeos/chromeos_export.h"
     17 #include "chromeos/network/onc/onc_certificate_importer.h"
     18 #include "components/onc/onc_constants.h"
     19 
     20 namespace base {
     21 class DictionaryValue;
     22 class ListValue;
     23 class SequencedTaskRunner;
     24 class SingleThreadTaskRunner;
     25 }
     26 
     27 namespace net {
     28 class NSSCertDatabase;
     29 class X509Certificate;
     30 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
     31 }
     32 
     33 namespace chromeos {
     34 namespace onc {
     35 
     36 // This class handles certificate imports from ONC (both policy and user
     37 // imports) into a certificate store. The GUID of Client certificates is stored
     38 // together with the certificate as Nickname. In contrast, Server and CA
     39 // certificates are identified by their PEM and not by GUID.
     40 // TODO(pneubeck): Replace Nickname by PEM for Client
     41 // certificates. http://crbug.com/252119
     42 class CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter {
     43  public:
     44   // |io_task_runner| will be used for NSSCertDatabase accesses.
     45   CertificateImporterImpl(
     46       const scoped_refptr<base::SequencedTaskRunner>& io_task_runner,
     47       net::NSSCertDatabase* target_nssdb_);
     48   virtual ~CertificateImporterImpl();
     49 
     50   // CertificateImporter overrides
     51   virtual void ImportCertificates(const base::ListValue& certificates,
     52                                   ::onc::ONCSource source,
     53                                   const DoneCallback& done_callback) OVERRIDE;
     54 
     55  private:
     56   void RunDoneCallback(const CertificateImporter::DoneCallback& callback,
     57                        bool success,
     58                        const net::CertificateList& onc_trusted_certificates);
     59 
     60   // This is the synchronous implementation of ImportCertificates. It is
     61   // executed on the given |io_task_runner_|.
     62   static void ParseAndStoreCertificates(::onc::ONCSource source,
     63                                         const DoneCallback& done_callback,
     64                                         base::ListValue* certificates,
     65                                         net::NSSCertDatabase* nssdb);
     66 
     67   // Lists the certificates that have the string |label| as their certificate
     68   // nickname (exact match).
     69   static void ListCertsWithNickname(const std::string& label,
     70                                     net::CertificateList* result,
     71                                     net::NSSCertDatabase* target_nssdb);
     72 
     73   // Deletes any certificate that has the string |label| as its nickname (exact
     74   // match).
     75   static bool DeleteCertAndKeyByNickname(const std::string& label,
     76                                          net::NSSCertDatabase* target_nssdb);
     77 
     78   // Parses and stores/removes |certificate| in/from the certificate
     79   // store. Returns true if the operation succeeded.
     80   static bool ParseAndStoreCertificate(
     81       bool allow_trust_imports,
     82       const base::DictionaryValue& certificate,
     83       net::NSSCertDatabase* nssdb,
     84       net::CertificateList* onc_trusted_certificates);
     85 
     86   // Imports the Server or CA certificate |certificate|. Web trust is only
     87   // applied if the certificate requests the TrustBits attribute "Web" and if
     88   // the |allow_trust_imports| permission is granted, otherwise the attribute is
     89   // ignored.
     90   static bool ParseServerOrCaCertificate(
     91       bool allow_trust_imports,
     92       const std::string& cert_type,
     93       const std::string& guid,
     94       const base::DictionaryValue& certificate,
     95       net::NSSCertDatabase* nssdb,
     96       net::CertificateList* onc_trusted_certificates);
     97 
     98   static bool ParseClientCertificate(const std::string& guid,
     99                                      const base::DictionaryValue& certificate,
    100                                      net::NSSCertDatabase* nssdb);
    101 
    102   // The task runner to use for NSSCertDatabase accesses.
    103   scoped_refptr<base::SequencedTaskRunner> io_task_runner_;
    104 
    105   // The certificate database to which certificates are imported.
    106   net::NSSCertDatabase* target_nssdb_;
    107 
    108   base::WeakPtrFactory<CertificateImporterImpl> weak_factory_;
    109 
    110   DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl);
    111 };
    112 
    113 }  // namespace onc
    114 }  // namespace chromeos
    115 
    116 #endif  // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
    117